TITLE OF THE INVENTION 
ENCRYPTION METHOD, DECRYPTION METHOD, 
CRYPTOGRAPHIC COMMUNICATION METHOD 
AND CRYPTOGRAPHIC COMMUNICATION SYSTEM 

BACKGROUND OF THE INVENTION 
The present invention relates to an encryption method of the 
public-key cryptosystem for encrypting a plaintext into a ciphertext 
using a public key, a decryption method of decrypting a ciphertext 
generated by the encryption method into a plaintext, a 
cryptographic communication method and a cryptographic 
communication system using these encryption method and 
decryption method, and a memory product/data signal embodied in 
carrier wave for recording/transmitting an operation program of the 
encryption method. 

In the modern society, called a highly information-oriented 
society, based on a computer network, important business 
documents and image information are transmitted and 
communicated in a form of electronic information. Such electronic 
information can be easily copied, so that it tends to be difficult to 
discriminate its copy and original from each other, thus bringing 
about an important issue of data integrity. In particular, it is 
indispensable for establishment of a highly information oriented 
society to implement such a computer network that meets the 
factors of "sharing of computer resources, " "multi-accessing, " and 
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"globalization, " which however includes various factors 
contradicting the problem of data integrity among the parties 
concerned. In an attempt to eliminate those contradictions, 
encrypting technologies which have been mainly used in the past 
5 military and diplomatic fields in the human history are attracting 
world attention as an effective method for that purpose. 

A cipher communication is defined as exchanging 
information in such a manner that no one other than the parties 
concerned can understand the meaning of the information. In the 

10 field of the cipher communication, encryption is defined as 

converting an original text (plaintext) that can be understood by 
anyone into a text (ciphertext) that cannot be understood by the 
third party and decryption is defined as restoring a ciphertext into a 
plaintext, and cryptosystem is defined as the overall processes 

15 covering both encryption and decryption. The encrypting and 
decrypting processes use secret information called an encryption 
key and a decryption key, respectively. Since the secret decryption 
key is necessary in decryption, only those knowing this decryption 
key can decrypt ciphertexts, thus maintaining data security. 

20 The encryption scheme is roughly classified into two types: 

common-key cryptosystem and public-key cryptosystem. In a 
common-key cryptosystem, an encryption key and a decryption key 
are identical with each other, and a sender and a recipient perform 
cryptographic communications by possessing an identical common 

25 key. The sender encrypts a plaintext based on a secret common 
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key and transmits the resultant ciphertext to the recipient, and 
then the recipient decrypts the ciphertext into the original plaintext 
by using this common key. 

On the other hand, in a public-key cryptosystem, an 
5 encryption key and a decryption key are different from each other, 
and cryptographic communications are performed by encrypting a 
plaintext by the sender with the use of a publicized public key of the 
recipient and decrypting the resultant ciphertext by the recipient 
with the use of its own secret key. The public key is a key used for 
10 encryption and the secret key is a key used for decrypting the 
" ciphertext transformed by the public key, and the ciphertext 
transformed by the public key can be decrypted only by the secret 
key. 

As a scheme of public-key cryptosystem, a product-sum type 
15 cryptoscheme has been known. In this cryptosystem, an entity of 
sender generates a ciphertext C = mi ci + m.2 C2 + ... + dik czby using 
both a plaintext vector m = (mi, m2, dik) obtained by dividing a 
plaintext into K parts and a base vector c = (ci, C2, ck) as public 
key. The other entity of recipient decrypts, the ciphertext C into 
20 the plaintext vector m by using a secret key thereby to obtain the 
original plaintext. Prior art product- sum type cryptoschemes use 
an operation on an integer ring. 

With regard to such a product-sum type cryptography, 
various new cryptoschemes have been proposed and investigated 
25 from the viewpoint of security improvement, process time speedup, 



and the like. 

Nevertheless, such a product- sum type cryptography, by 
nature, has a feature of being easily attacked by using a 
mathematical LLL (Lenstra-Lenstra-Lovasz) algorithm which 
5 decrypts each component of a plaintext vector m from each 

component of a base vector c made public. Thus, the development 
of a product-sum type encryption method resistive to attacks by the 
LLL algorithm has been desired. 

10 BRIEF SUMMARY OF THE INVENTION 

An object of the present invention is to provide a 
product-sum type encryption method of new scheme resistive to 
attacks by LLL algorithm because of constituting a cryptosystem on 
a finite field, thereby improving the security. 

15 Another object of the present invention is to provide a 

decryption method of decrypting a ciphertext generated by the 
above-mentioned encryption method into a plaintext, a 
cryptographic communication method and a cryptographic 
communication system using the above-mentioned encryption 

20 method and decryption method, and a memory product/data signal 
embodied in carrier wave for recording/transmitting an operation 
program of the encryption method. 

In a first aspect of the present invention, secret keys, public 
keys, random numbers, and the like are expressed in a polynomial 

25 representation, whereby a product- sum type cryptosystem is 
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constituted on a finite field instead of an integer ring. As a result, 
the cryptosystem is more resistive to attacks by LLL algorithm than 
a product-sum type cryptosystem on an integer ring, thereby 
improving the security. 

In a second aspect of the present invention, each term of 
intermediate decrypted text is constituted of an error correcting 
code word, whereby the original plaintext can be reproduced 
accurately by the correction capability of the code word even if an 
error of a certain extent occurs. 

In a third aspect of the present invention, a plurality of 
public keys are previously prepared for each of divided plaintexts 
obtained by dividing a plaintext. For each of the divided plaintexts, 
an arbitrary public key is selected from among the prepared 
plurality of public keys, whereby a ciphertext is generated by using 
the selected public keys. As such, public keys are selective, that is, 
an entity of sender can arbitrarily select the public keys to generate 
a ciphertext. Accordingly, the manner of the pub he key selection is 
unknown to attackers, which makes attacks difficult thereby to 
improve the security further. 

The above and further objects and features of the present 
invention will more fully be apparent from the following detailed 
description with accompanying drawings. 



BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE 
DRAWINGS 
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FIG. 1 is a schematic diagram showing a situation of 
informational communication between two entities in accordance 
with a first embodiment; 

FIG. 2 is a diagram showing a public key list in a database of 
5 a first example of the first embodiment; 

FIG. 3 is a diagram showing a public key list in a database of 
a second example of the first embodiment; 

FIG. 4 is a schematic diagram showing a situation of 
informational communication between two entities in accordance 
10 with a second embodiment; and 

FIG. 5 is a diagram showing the configuration of an 
embodiment of a memory product. 

DETAILED DESCRIPTION OF THE INVENTION 
15 The embodiments of the present invention are described 

below in detail. 

First, the polynomial representation in the present invention 
is explained. The m shown in the following (l) represents a 
message generated by encoding a plaintext M for the purpose of 
20 class selection information in the first embodiment described later 
or error correction detection in the second embodiment described 
later. Here, K is the number of division of the plaintext M. 

m = (mi, m2, mx) •■•(!) 
Although each component mi (i = 1, 2, K) of the message m is a 
25 ki- dimensional vector on a finite field (Galois field) F q , an 
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assumption is made herein such that q=2 and ki=k (constant), for 
the simplicity of description. 

As such, the message m is previously encoded. In order to 
emphasize this fact, each component mi of the message m is 
5 rewritten into mi', and the mi' is expressed by the following (2) with 
mij' ^ F2. Further, the component mi is expressed by the following 
(3) in a polynomial representation. 

m j'= ( m h' , m j2 m ik' ) • • • ( 2 ) 

m i / (X)=mi 1 ' + mi 2 ' X+-+jn ik / X k " 1 ••• (3) 
10 Meanwhile, a value A is expressed by a vector s or a 

polynomial s(X) herein, and the vector s and the polynomial s(X) are 

referred to as a vector representation and a polynomial 

representation of A, respectively. 

(First embodiment: arbitrary selection of public keys in a 

15 product-sum type cryptosystem on a finite field) 

FIG. 1 is a schematic diagram showing a situation that an 
encryption method/decryption method in accordance with the first 
embodiment is used in an informational communication between 
two entities a, b. In the example of FIG. 1, an entity a encrypts a 

20 plaintext M into a ciphertext C, thereby transmitting the ciphertext 
C through a communication channel 1 to the other entity b. The 
entity b decrypts the ciphertext C into the original plaintext M. 

The entity a of sender comprises^ a plaintext divider 2 
for dividing a plaintext M into a plurality of divided plaintexts; a 

25 public key selector 5 for selecting a public key for each divided 



plaintext from a database 10; and an encryptor 3 for generating a 
ciphertext C using the selected public keys and divided plaintexts. 
On the other hand, the entity b of recipient comprises a decryptor 4 
for decrypting the transmitted ciphertext C into the original 
plaintext M. In the first embodiment, secret keys, public keys, 
random numbers, and the like are expressed in a polynomial 
representation as described later, whereby a product-sum type 
cryptosystem is constituted on a finite field. 
[First example of the first embodiment] 

FIG. 2 is a diagram showing a public key list (base list) in 
the database 10 previously storing a plurality of public keys for each 
divided plaintext. In FIG. 2, K is the number of division (number of 
classes) of a plaintext M, and J is the total number of the public 
keys (bases) of selection objectives for each class i (i = 1, 2, K). J 
public keys (bases) are prepared for each divided plaintext (each 
class) except for the class 1. 

The entity a of sender arbitrarily selects and reads out a key 
(base) for each divided plaintext (each class) from the database 10 
storing such public keys (bases), and then uses the read-out K 
public keys (bases) as encryption keys. Here, the number of the 
possible selection combinations of public keys (bases) allowed for 
the entity a is J K_1 . The existence of the J K_1 combinations of public 
keys (bases) provides grounds for the further security of the first 
embodiment, in addition to the constitution on a finite field. 
(Preparation) 



Some symbols are defined as follows, 
m^ component of message ml mi ^ F q (q=2 k ) 
ati, /3i : random numbers! as, ft ^ F q 
v ii random number vector on F q belonging to class i of public 
5 key list 

b i- base b i = ai + & X 
(Encryption) 

Secret keys and public keys are prepared as follows. 
•Secret keys-' (bi(X)}, (vi(X)}, w(X), P(X), permutation matrix 

10 P(*) 

•Public keys: { c p (X)}, F q 

With P(X) being an appropriately selected, secret irreducible 
polynomial, the following (4) is deduced. 

b! (x)b 2 (X) - bi(X)v!^(X)w(X) 

= (X) ( mod P(X)) • • ■ (45 

i 

The polynomial representation bi(X) b2(X) ... bi_i(X) Vi(X) of 
the plurality of public keys of selection objectives shown in FIG. 2 
corresponds to a vector representation bi b2 ... bi_i Vi. 
20 Encryption is carried out on F q . as shown in the following (5). 

CM = 1 m i 'c C j } (X) ■ • • ( 5 ) 

i =1 1 

(Decryption) 

By using a secret polynomial w -1 (X) satisfying the following 
25 (6), an intermediate decrypted text MOD = COD w _1 (X) (mod 
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P(X)) is deduced as shown in the following (7) with i^j ^ J. 

w(X)w~ 1 (X)= 1 (mod POO) -(6) 

CfX)w _1 (X) 

= m 1 'v ] (X)+m 2 ' t>! (X)v ( 2 j) (X)+ - 
5 -h m K ' b 1 (X)b 2 (X) - b K .T (X) v ( K j) .(X) (modP(X)) 

• • • (7) ! 

After the lowest order term mi' vi (X) of the intermediate 
decrypted text M(X) is decrypted, the subsequent terms can be 
10 decrypted similarly. 

By using the inverse element vi _1 (X) of vi (X) modulo bi (X), 
the following (8) is deduced. Here, as shown in FIG. 2, the base (vi 
(X)) is uniquely selected in the class 1. 

MIX) (X) vf 1 (X) = m,' ( mod b^X) } ■ • • ( 8 ) , 

15 

The encoded component mi of the original plaintext is 
decoded from mi', and the selection information of base (public key) 
in the class 2 is decrypted according to the following (9). 

mi' = j (mod J) "-(9) 
20 Thus, the selected base (public key bi(X) V2 (j) (X)) in the class 

2 is specified, therefore, m2* can be decrypted in the same manner as 
that for mi'. That is, the 1112' is decrypted according to the following 
(10). The m.3' to mK f are decrypted similarly. 



25 
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MtXl-mi'v^X) 

b^X) 

= m2V ( 2 j) (X)+m3 b 2 (X)v ( 3 j) (X) 

+ - + m K ' b 2 (X) - b K .! (X)v ( K j) (X) • " • (10)' 

As such, the description of the first example has been made 
for the case that the lowest order term of message of a product-sum 
type ciphertext is first decrypted and that the higher order terms of 
message are then sequentially decrypted. However, the process 
may be reversed such that the highest order term of message is first 
decrypted and that the lower order terms of message are then 
sequentially decrypted. 
[Second example of the first embodiment] 

FIG. 3 is a diagram showing a public key list (base list) in 
the database 10 previously storing a plurality of public keys for each 
divided plaintext. In FIG. 3, K is the number of division (number 
of classes) of a plaintext M, and J is the total number of the public 
keys (bases) of selection objectives for each class i (i = 1, 2, K— 2). 
J public keys (bases) are prepared for each divided plaintext (each 
class) except for the (K— lHh and the K-th class. 

The entity a of sender arbitrarily selects and reads out a key 
(base) for each divided plaintext (each class) from the database 10 
storing such public keys (bases), and then uses the read-out K 
public keys (bases) as encryption keys. Here, the number of the 
possible selection combinations of public keys (bases) allowed for 
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the entity a is J K_2 . 
(Preparation) 

Some symbols are defined as follows. 

mi 1 - component of message m; mi' ^ F q (q=2 k ) 
5 ai ( j } , random numbers,' as®, e F q 

bi:basebi^00 = oa^+ ft® X 
(Encryption) 

Secret keys and public keys are prepared as follows. 
•Secret keys: {bi(X)}, w(X), POO, permutation matrix P(*) 
10 • Public keys: { Ci ©00}, F q 

With P(X) being an appropriately selected, secret irreducible 
polynomial, the following (ll) is deduced. 

b! j) (X)w (X)X 1 - 1 = c| J) (X) ( mod P(X)) 

•••(11) 

15 Here, the components of vector a® are randomly located by 

the secret permutation matrix P(*X In FIG. 3, a vector 
representation of bi^(X) is expressed by bi®. The reason why only 
one base is used in the classes K— 1, K as described above in FIG. 3 
is to achieve a high-speed decryption -as described later. 

20 Encryption is carried out on F q as shown in the following 

(12). 

C(X) = 1 m.'c[ j) (X) ' ' ' (12) 

i = 1 1 

(Decryption) 

25 By using a secret polynomial w _1 (X) satisfying the following 
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(13), an intermediate decrypted text MOO = C(X) w" 1 (X) (mod 
P(X)) is deduced as shown in the following (14) with isSj^J. 

w(X)w-i(X)= 1 (mod P(X)) ••■(13) 

c(X)w-Mx) 

= m{bl ]) [X) + m 2 'b 2 (j) (X)X +■•• 

+ m K ' b K (XSX K - ] ( mod P(X)) • • • (14) 

When the highest order term ihk' of the intermediate 
decrypted text M(X) is decrypted, the second highest order term mK 
_i' to the lowest order term mi' can be decrypted similarly. Thus, 
the description herein is made below by focusing on the decryption 
of mK 1 . 

Let S 1 (M) generally indicate the operation of sampling the 
2k digits corresponding to the bases bi_i®, of a vector M, and let 
the sampled series be expressed by a polynomial SmKX). The series 
Sm k (X) generated by sampling the highest 2k digits of the 
intermediate decrypted text M(X) given by equation (14) is obtained 
"by the following (15). Here, eK-i (X) is a polynomial representation 
of the highest k digits of the second highest term mK-i'(X) dk-i (X). 

S M K (X)= m K '(X)b K (X) + e^tX) • • • ( 1 5)j 

The above-mentioned eK_i (X) is generally called a postfix. 
The ex-i (X) can be deduced according to the following (16), 
whereby the message dik'CX) can be decrypted according to the 



following (17). 
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S M K (X) = e^tX) (mod b K M) ■ • • (16) 



S M K (X)~ e^X) 
b K (X) 




(17) 



As shown in FIG. 3, there is no room for selection in the 
classes K — 1, K, then the dk-i, bx are uniquely selected in 
respective classes. While the original information mK is decrypted 
from mK 1 , the selection information of base in the class K— 2 is 
decrypted according to the following (18). More generally, the 
selection information of base in the class i — 2 is obtained using mi'= 
j (mod J). 



As such, the base selection information of the second next 
class is decrypted. The purpose of this is to prepare the base bi-2® 
before entering the encryption of SM i-2 (M) given for the class i— 2. 
As a result, the decryption process can be sequentially performed 
without delay. 

The form of the base in the class K— 2 is specified 

according to mK'=j (mod J), therefore, m.K-2' can be decrypted in the 
same manner as that for mK 1 . Further, by rewriting mK-i' as 
shown in the following (19), the mK-i' can be decrypted in the same 
manner as that for dik'. The mi' to m.K-2' can be decrypted 
sequentially in descending order by the similar process. 



mK = J 



(mod J) 



-(18) 
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M K - ] (X) - M K (X) + m K '(X)b K (X)XK-i ... (19) 

In the above-mentioned first example, the decryption process 
of message and the decryption process of base selection information 
5 can not be performed in parallel. In contrast, in the second 

example, the base selection information of class i— 2 can be obtained 
during the decryption of the rth message, that is, the decryption 
process of message and the decryption process of base selection 
information can be performed in parallel. More specifically, the 

10 operation of the above-mentioned (16) in the rth class and the 

operation of the above-mentioned (17) in the (i— - l)-th class can be 
performed in parallel. This is what is called a pipeline processing, 
which permits a much higher-speed decryption processing in the 
second example than in the first example. 

15 The description of the second example has been made for the 

case that the highest order term of message of a product-sum type 
ciphertext is first decrypted and that the lower order terms of 
message are then sequentially decrypted. However, the process 
may be reversed such that the lowest order term of message is first 

20 decrypted and that the higher order terms of message are then 
sequentially decrypted. 

Next, the security in the first embodiment described above is 
explained. The j-th public key cP(X) in the class i is expressed by 
the following (20). 

25 c ( , J) '(X)= c (J) +c (nx+...+ eft X K " ] ■■■ (20) 
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Observing that the message mi in the class i is involved into 
a product independently of each coefficient of the polynomial 
expressed by the above-mentioned (20), the vector (cu^, 02®, clk^) 
on F q corresponding to the coefficient of the polynomial of the 
above-mentioned (20) can be randomly scrambled in an appropriate 
order known to the recipient alone but by a permutation common to 
each class. Thus, the designer can save the permutation matrix 
P(*) as a secret key. Accordingly, number-theoretical attacks to 
the public information is practically impossible for 30 or so. 
For example, in the case that k=16 for the k in F q with q=2 k and 
that K=32, the total number of trials necessary to obtain the correct 
order is appropriately 2.6 X 10 35 . 

Let a vector representation of a ciphertext C be the following 
(21), where each component thereof is set as the following (22). 
C = (Ci, C 2 , Ck) -(21) 

Ci= I rriicW • • • (22) 

- Here, observing that Ci, mi, Ci t ^ e F q , an attack by LLL 
algorithm is difficult to apply to the above-mentioned (22). Here, J 
2^2 is necessary because, otherwise, the above-mentioned (22) is 
decrypted self-evidently by a simple linear transformation. The 
number of the random selections of public keys is J K ~~ 1 (first 
example) and J K ~ 2 (second example); thus, J K_1 >1 and J K ~ 2 >1 are 
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possible. Accordingly, an attack to a public-key cryptography in 
accordance with the first embodiment can be carried out only one by 
one; therefore, this encryption/decryption method is very powerful. 

Meanwhile, the public key size and the encryption key size of 
5 each entity in accordance with the first embodiment are given as 
follows. 

public key size: J K 2 k bits 
encryption key size of each entity: K 2 k bits 
y Since the message has been encoded at the beginning of a 

^ 10 cryptographic communication, the following condition (23) is 

J required according to the above-mentioned conditions (9), (18), and 

lit 

y hence, the rate (information transmission rate) becomes less than 1. 
q J < 2 k •••(23) 

ry However, in case that the selected keys are fixed during a 

yj 

Q 15 predetermined time duration or during the data transmission of a - 
predetermined amount of data, the above-mentioned condition (23) 
is unnecessary, and hence, the rate becomes approximately 1. 

Specific numerical examples are described below. 
<Numerical example 1> 
20 In a rather large-scale case of k=16, K=1024, and J=1024, 

the public key size is 2 10 -2 20 -2 4 = 2 34 bits ^ 2.147 Gbytes, and the 
encryption key size of each entity is 2.0 kbytes. 
<Numerical example 2> 

In a rather small-scale case of k=8, K=128, and J=128, the 
25 public key size is 2.097 Mbytes, and the encryption key size of each 



entity is 16.384 kbytes. 
<Numerical example 3> 

In case of k=16, K=128, and J=128, the public key size is 4.19 
Mbytes, and the encryption key size of each entity is 32.8 kbytes. 
5 The principal operation for encryption is a product-sum operation of 
128 elements of F q (q=2 16 ) (for example, carried out in seven steps by 
a 128 parallel processing). The principal operations for decryption 
are a multiplicative and divisional operation of a polynomial of 
degree 128 on F q (q=2 16 ) and 128 successive multiplicative and 

10 divisional operations of a polynomial of degree one on F q (q=2 16 ). 
<Numerical example 4> 

In case of k=8, K=32, and J=16, the public key size is 16.4 
kbytes, and the encryption key size of each entity is 1.02 kbytes. 
The principal operation for encryption is a product-sum operation of 

15 32 elements of F q (q=2 8 ) (for example, carried out in five steps by a 
32 parallel processing). The principal operations for decryption are 
a multiplicative and divisional operation of a polynomial of degree 
32 on F q (q=2 8 ) and 32 successive multiplicative and divisional 
operations of a polynomial of degree one on F q (q=2 8 ). 

20 The rate and the improvement thereof in the second example 

are described below. Since the degree of the secret polynomial P(X) 
is K+l, input plaintext length Lm and output ciphertext length Lc 
are given by the following (24) and (25), respectively, and further, 
rate r is given by the following (26). 

25 Lm = Kk •••(24) 
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Lc = (K+l)k-(25) 
r = K/(K+l) •••(26) 
Let us consider a condition necessary for the rate r to be 
completely 1. Assume that the bases bi® in the class 1 are all 
5 constant terms alone, that is, bi® = ai (j) . In this case, the following 
(27) is assumed to be satisfied. Further, vector P(wi®, W2 (j) , 
wk®) is deduced by randomly permutating the components of the 
coefficient vector (wi®, W2®, wk^X and designated to subkeys of 
the class 1 of the public key list. 
10 «| j) w(X) = w/ j) + w 2 (j) X+ w 3 (j) X 2 + ••• 

+ w K {j) X K - 1 • • • (27) 
Even in this case, as long as K> 1, a trial- and- error attack to 

the P(wi ( J ) , W2 (j) , wk Q) ) is still practically impossible. 

Therefore, input plaintext length Lm, output ciphertext 

15 length Lc, and rate r are given by the following (28), (29), and (30), 

respectively. 

Lm = K k •••(28) 
Lc = Kk •••(29) 
r=l.-(30) 

20 (Second embodiment^ a product-sum type cryptography using error 
correcting code on a finite field) 

FIG. 4 is a schematic diagram showing a situation that an 
encryption method/decryption method in accordance with the 
second embodiment is used in an informational communication 

25 between two entities a, b. Similarly to the FIG. 1, also in the 
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example of FIG. 4, an entity a encrypts a plaintext M into a 
ciphertext C, thereby transmitting the ciphertext C through a 
communication channel 1 to the other entity b. The entity b 
decrypts the ciphertext C into the original plaintext M. 
5 The entity a of sender comprises: a plaintext divider 2 for 

dividing a plaintext M into a plurality of divided plaintexts; and an 
encryptor 3 for generating a ciphertext C using public keys and 
divided plaintexts. On the other hand, the entity b of recipient 
comprises a decryptor 4 for decrypting the' transmitted ciphertext C 
10 into the original plaintext M. In the second embodiment, similarly 
to the first embodiment, secret keys, public keys, random numbers, 
and the like are expressed in a polynomial representation, whereby 
a product- sum type cryptosystem is constituted on a finite field. 
(Encryption) 

15 .- Secret keys and public keys are prepared as follows. 

• Secret keys: { X a gi(X)}, w(X), P(X) 
•Public keys: {d (X)}, encoding parameters for m 
Let a code polynomial on F2 of degree gi be gi(X). However, 
gi = g (constant) is assumed herein for the simplicity of description. 
20 With P(X) being an appropriately selected, secret polynomial, the 
following (31) is deduced. Here, ai= a (constant) is assumed 
similarly to the above-mentioned gi. 

X ai §i (X)w(X)= Cj(X) (mod P(X)) ■ • • (31 ) 
25 Encryption is carried out as shown in the following (32). 
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C(X) = 2 mftXJCilX) • ' ' (32) 
i =i 

(Decryption) 

5 [First decryption example of the second embodiment] 

By using a secret polynomial w _1 (X) satisfying the following 
(33), an intermediate decrypted text MOO is deduced as shown in 
the following (34). More specifically, the intermediate decrypted 
text M(X) is obtained as shown in the following (35). 
10 w(X)w~i(X)= 1 (mod POO) -(33) 

MOO = COOw-i(X) (mod POO) •••(34) 

MIX) = g, tX) mi '(X)+8 2 (X)m 2 '(X)X a 

+ - +g K (X)m K '(X)X lK " lla • • • (35) 

15 In the above, the degree p of the secret polynomial POO is set 

to be larger by 1 than the degree of the right-hand side of the 
above-mentioned (35). Then, p satisfies the following condition 
(36). 

p = g + k+(K-l) a+ 1 .-(36) 
20 Let S a (w) indicate the operation of sampling the lowest n 

digits of the vector w, and let the sampled series be expressed by a 
polynomial S w 00. Then, the foUowing (a), (b) hold. 

(a): In a series S w 00 sampled from the intermediate 
decrypted text MOO given by the above-mentioned (35), when a < 
25 g + k = n, the end eiOO of length (g + k-a) of the second term is in 
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an additional form as shown in the following (37). 

giOO mi(X) + ei(X) X a •••(37) 

(b): Let the degree of the end eiOO be (e — l). Then, in case 
that g ^ e, the eiGO is correctable as a disappearance error. 

According to (a), (b), the ei(X) X a in S W (X) can be corrected as 
a disappearance error. Therefore, gi(X) mi(X) can be decrypted, 
whereby mi(X) can be easily decrypted. That is, each term of the 
intermediate decrypted text has a form of product- sum component 
plus noise component. However, since the product- sum component 
is an error correcting code word, the noise component can be 
corrected as an error by the error correction capability thereof, 
whereby the product-sum component can be decrypted purely and 
accurately. The subsequent terms can be decrypted similarly to 
the first term. As such, in the first decryption example, decryption 
is performed sequentially from the lowest order term in ascending 
order. 

[Second decryption example of the second embodiment] 

By using a secret polynomial w _1 (X) satisfying the following 

(38), an intermediate decrypted text MOO is deduced as shown in 

the following (39). More specifically, the intermediate decrypted 

text MOD is obtained as shown in the following (40). 

w(X)w~i(X)= 1 (mod POO) ••■(38) 
MOO = COOw-i(X) (mod POO) -(39) 

MIX) = 8l (X)m 1 '(X)+8 2 (X)m 2 '(X)X a 

+ - + g K (X)m K '(X)X (K ~ 1la • • • (40) 



The following (c), (d) hold. 

(c) : In a series S W (X) sampled from the intermediate 
decrypted text M(X) given by the above-mentioned (40), when a < 
g + k = n, the eK-i(X) of the higher order (g + k— a) digits of the 

5 second term gK_i(X) mK-i' (X) is in an additional form as shown in 
the following (41). 

gK(X) m K ' (X) + e K -i (X) X* • • -(41) 

(d) : Let the degree of the ex-i (X) be (e — l). Then, in case 
that g ^ e, the eK-i (X) is correctable as a disappearance error. 

10 According to (c), (d), the eK-i (X) in S W (X) can be corrected as 

a disappearance error. Therefore, gx(X) mK* (X) can be decrypted, 
whereby mK 1 (X) can be easily decrypted. As such, in the second 
decryption example, decryption is performed sequentially from the 
highest order term in descending order. 

15 Meanwhile, in this second embodiment, similarly to the 

above-mentioned first embodiment, a scheme can be used such that 
public keys are arbitrarily selected. When such a scheme is 
applied to the first example of the first embodiment, let gi(X) belong 
to a class i; J pieces of gi(X) are prepared for each class except for 

20 the class 1; mi is decoded from the mi(X) decrypted in the class IT 
and the public key selection information in the class 2 can be 
obtained similarly. When such a scheme is applied to the second 
example of the first embodiment, let gi(X) belong to a class i,' J 
pieces of gi(X) are prepared for each class except for the classes K, K 

25 — l; mK is decoded from the hik(X) decrypted in the class K; and the 
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public key selection information in the class K— 2 can be obtained 
similarly. 

FIG. 5 is a diagram showing the configuration of an 
embodiment of a memory product in accordance with the present 
invention. The program illustrated here contains an encryption 
process or a decryption process in accordance with the first 
embodiment or the second embodiment described above, and further 
is recorded in a memory product described below. A computer 20 is 
provided in each entity. 

In FIG. 5, a memory product 21 is composed of, for example, 
a server computer on the WWW (World Wide Web) installed apart 
from the installed location of the computer 20. In the memory 
product 21, a program 21a described above is recorded. The 
program 21a read out from the memory product 21 via a 
transmission medium 24 such as a communication line controls the 
computer 20 so as to generate a ciphertext from a plaintext or 
decrypt a ciphertext into a plaintext. 

A memory product 22 provided in the interior of the 
computer 20 is composed of a disk drive, a ROM, or the like built in. 
In the memory product 22, a program 22a described above is 
recorded. The program 22a read out from the memory product 22 
controls the computer 20 so as to generate a ciphertext from a 
plaintext or decrypt a ciphertext into a plaintext. 

A memory product 23 used in the loaded state into a disk 
drive 20a provided in the computer 20 is composed of a 



magneto- optical disk, a CD-ROM, a flexible disk, or the like 
portable. In the memory product 23, a program 23a described 
above is recorded. The program 23a read out from the memory 
product 23 controls the computer 20 so as to generate a ciphertext 
5 from a plaintext or decrypt a ciphertext into a plaintext. 

As described above, in the present invention, since a 
product-sum type cryptosystem is constituted on a finite field, the 
cryptosystem is more resistive to attacks by LLL algorithm than a 
product-sum type cryptosystem on an integer ring, thereby 

10 improving the security. 

Further, each term of the intermediate decrypted texts is 
constituted of an error correcting code word, whereby the original 
plaintext can be reproduced accurately by the correction capability 
of the code word even if an error of a certain extent occurs. 

15 Furthermore, a plurality of public keys are previously 

prepared for each of divided plaintexts generated by dividing a 
plaintext. For each of the divided plaintexts, an arbitrary public 
key is selected from among the prepared plurality of public keys, 
whereby a ciphertext is generated by using the selected public keys. 

20 As a result, one can arbitrarily select the public keys to generate a 
ciphertext. Accordingly, the manner of the public key selection is 
unknown to attackers, which makes attacks difficult thereby to 
improve the security further. 

As this invention may be embodied in several forms without 

25 departing from the spirit of essential characteristics thereof, the 
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present embodiment is therefore illustrative and not restrictive, 
since the scope of the invention is defined by the appended claims 
rather than by the description preceding them, and all changes that 
fall within metes and bounds of the claims, or equivalent of such ' 
metes and bounds thereof are therefore intended to me embraced by 
the claims. 



